• Home Page
• Corporate
  • BCRM Approach
  • BCRM FAQ
  • Case Studies
  • Certifications
  • Code Of Conduct
  • Company details
  • Customer satisfaction
  • Industry Endorsements
  • The Team
  • Why us?
• Policies
  • Business Continuity
  • Conflict of Interest
  • Corporate Social Responsibility
  • Data Protection
  • Disability Discrimination
  • Environment
  • Equal Opportunities
  • Health and Safety
  • Information Security
  • Personnel Screening
  • Quality
• Services
  • Health Checks
    • Business Continuity
    • Security Vetting
    • Data Protection Act
    • Software Asset Management
    • Service Management
    • Information Security
    • PCI DSS
    • Risk Management
  • Information Assurance
    • Disaster Recovery
    • Information Security
    • Physical Security
    • Employee Vetting
    • Software Asset Management
    • Risk Management
    • Identity Management;
    • Secure Disposal
  • Compliance
    • Governance Today;
    • GRC
    • FSA Compliance
    • Data Protection Act;
    • PCI DSS;
    • Sarbanes Oxley;
    • FSAP
    • Workflow and GRC;
    • Using XBRL for GRC;
    • Inspection of Records;
    • Litigation Support
    • Employment Law
    • FSA Support
    • Money Laundering
  • Management Systems Consultancy
    • ISO 9001
    • SO 14001;
    • ISO 17025
    • OHSAS 18001
    • ISO 20000
    • BS 25999;
    • ISO 27001;
    • Do you need us?
    • Auditing
    • Polices and Procedures
  • Continuous Improvement
    • ISO 9004;
    • Total Quality Management (TQM)
    • Six Sigma;
    • Capability Maturity Models;
    • ServQual / RATER;
    • EQF
    • Balanced Scorecards;
  • Certification Services
    • Standards Implemented
    • Management System Implementation Methodology
    • Consultancy to Support Certification
    • Certification Body Audit Markings
    • Certification Pre-Audit Services
    • Remediation
    • Certification FAQ
  • Digital Forensics
    • Forensic Evidence Recovery
    • Expert Witness Services
• Records Management
• Training
• Standards
  • Management Systems
    • BS 25999
    • ISO 14000
    • ISO 17025
    • ISO 20000
    • ISO 27000
    • ISO 9000
    • OHSAS 18000
    • PAS 99
  • Other Standards
    • BS 10008
    • BS 10012
    • ISO 25777
    • BS 7858
    • BS 8470
    • BS 7858
    • BS 8549;
    • ISO 15489
    • ISO 19770
    • ISO 24762
    • ISO 38500
• Legislation
  • Basel II
  • Data Protection Act
  • Financial Sector Assessment
  • Financial Services and Markets Act (UK);
  • Health Insurance Portability and Accountability Act US);
  • Markets in Financial Instruments Directive (EU);
  • Miscellaneous relevant EU Directives;
  • Payment Card Industry Data Security Standards (worldwide);
  • Sarbanes Oxley (US);
  • Single European Payments Area (EU);
• Legal
  • Copyright
  • Legal Disclaimer
  • Privacy
  • Security
  • Links to other sites
• Site Map
• Contact Us
•  

---

?

Governance, Risk and Compliance (GRC) Consultancy

---

• overview;
• service offering;
• approach
• benefits
• next steps

Overview

The world is becoming more volatile, all regulated and many unregulated industries are coming under increased scrutiny, and regulators are seeking to demonstrate that they are effective and that regulated industries comply with legislation and regulations. Regulatory compliance is increasing challenging. Understanding what obligations exist in complex international transactions is very challenging so a method by which that can be automated is highly desirable. The cost of complying is a material overhead so reducing the cost of compliance is also highly attractive.

Stakeholders are also becoming extremely active in forcing companies to comply with the stringent levels of regulations governing business activities. The US Sarbanes-Oxley Act has changed the governance landscape on a global basis with a maze of new rules and regulations for accounting and disclosure, internal controls and risk management. Boards and audit committees have specific new requirements in fulfilling their roles. Furthermore, significant new legislation to combat money-laundering and terrorist financing was introduced in the UK and US at the end of 2001.

Too many businesses have rapid turnover of staff who do not always know the intricacies of their business processes. With a lack of:

• control;
• documented and up to date procedures;
• knowledgeable staff;>

there is the strong (some would say very strong) possibility of governance and compliance failures. Today, with rapidly expanding organisations, many management, let alone employees are not even aware of their own legislative, governance and compliance requirements.

Most recently, we have seen the finger point increasingly at executives, with personal accountability of the CEO or CFO common in these new approaches, although the number of executives facing incarceration has largely been restricted to the United States.

Where this happens, organisations usually implement one-off responses to every new requirement placed on them. This will not necessarily rebuild trust, but will spend a large amount of money on the next short-sighted solution.

Any organisation that wishes to build and develop stakeholder trust and confidence does not undergo one off approaches but rather implement an integrated approach to the whole gamut of GRC.

GRC is an increasingly recognized industry term that reflects a new way in which organizations can adopt an integrated approach to these three integrated areas of business management. The term relates to a number of integrated business activities that are related, overlapping and integrated. Some of these include activities within an organization (e.g. internal audit, compliance programs, enterprise risk management (ERM), operational risk, incident management, business continuity, information assurance, legislation, regulation and best practice).

GRC is made up of:

• people;
• processes;
• corporate culture;
• information processing systems;
• the community in which they all exist.

The use of information processing systems can enable the effective and efficient use and sharing of information between disparate and diverse users of those systems. The combined effective and efficient use of information processing systems with an integrated GRC system can be used to:

• rebuild and increase stakeholder trust;
• provide transparency;
• ensure accountability;
• preserve and protect reputation
• ultimately provide competitive advantage.

To build business trust, there are three key pillars with a supporting infrastructure that need to be in place and working correctly. The pillars are:

• honesty: the organisation is truthful, accurate, and complete in communications with all stakeholders;
• accountability: the organisation, its officers and staff are accountable for their actions, both internal and external to the organisation, and abide by their stated commitments;
• corporate Social Responsibility (CSR): a concept whereby organisations consider the interests of society by taking responsibility for the impact of their activities on all stakeholders, as well as the environment. This obligation is seen to extend beyond the statutory obligation to comply with legislation and sees organizations voluntarily taking further steps to improve the quality of life for all stakeholders, though this will vary from organisation to organisation.

Underpinning these three pillars is the base infrastructure of:

• transparency: organisational stakeholders all have access to corporate information that may affect their interests. There is no 'hidden' information of any sort and that reputational harm is not about to be made public.

Service Offering

BCRM has developed an innovative approach to managing GRC that provides individual accountability and traceability of all actions, maintains a comprehensive document retention and production process and can optionally be optimised for any given organisation by using advanced mathematical modelling. BCRM uses a flexible compliance documentation management and workflow solution (Work Force Director (WFD)) which will help any regulated business to simplify and reduce the cost of maintaining the significant document sets required in large banks. This product has been used to excellent effect in five global banks including the largest of US banks. The BCRM team consists of risk specialists, a number of whom have been regulators, so we know the rule, the process and how to address the issues. We can provide support, advice and assurance to help you manage your regulatory risks. We understand that to be effective, a compliance plan needs:

• to operate at a strategic level;
• maximizing your competitive advantages;
• minimizing costs;
• minimize disruptions to the business.

When properly aligned with your organisations business objectives and risk management strategies, your compliance plan can add real value to your organization while ensuring that it embraces both the spirit of compliance and the letter of the law.

If you are in need of a proactive solution, we conduct compliance and regulatory due diligence reviews to ensure that your company is in line with relevant financial services laws and regulations. We can help you to improve your back-office operations and internal controls, and to develop in-house compliance policies and procedures.

With IT Governance, we use COSO, ISO 27001, ITIL and CobIT. These are four compatible frameworks, operating at different levels of detail and scope, that provide a set of controls and governance for IT:

• COSO - Organization wide controls;
• CobIT - satisfies and extends COSO controls relating to IT;
• ITIL / ISO 20000 - can satisfy and extend CobIT controls relating to Service Management (Problem Management, Change Control, Release Control, etc.);
• ISO 27001 -IT Security Controls to meet and extend CobIT Security.

Approach

Using the BCRM approach to GRC approach covers:

• defining the scope of the GRC
• understanding the business;
• determining relevant legislation and regulation applicable to the scope;
• determining the effectiveness of current implemented controls;
• produce a Gap Analysis report;
• agree a way forward with the Client;
• establish process flow and interaction within the business;
• develop a workflow and GRC model;
• implementing and operating the GRC model;
• test the GRC model;
• monitoring and reviewing the GRC model;
• auditing the GRC model;
• continuous improvement of the GRC model
• optional mathematical modelling of the business to determine areas for process improvement;

Benefits

The BCRM approach builds a sustainable and relevant GRC model for your organisation by:

• accountability for all actions;
• continuous improvement;
• developing detailed process maps that show GRC requirements at each stage as well as inputs and outputs to / from the process;
• enabling interoperability between disparate systems;
• ensuring that processes and procedures for GRC are documented and tested;
• having the ability to receive timely notification of reportable events (internally or even to an external third party);
• implementing a robust and sustainable GRC model;
• implementing an incident management process in case of unforeseen events occurring;
• legislative and regulatory compliance;
• providing a tailored integrated workflow and GRC model, designed specifically for your purposes;
• traceability for all actions;
• training your employees to sue the GRC ,model and provide timely reporting from it;
• transparency of process;
• understanding your business;
• understanding your legislative and regulatory drivers;

Next Steps

• BCRM has a number of other service offering, these are listed here;
• BCRM is committed to providing a consistently high value service to our Clients;
• David Lilburn Watson and Sian Watson, who remain personally 'hands-on' throughout the process, manage this process.
• to understand how the BCRM suite of offerings can be used to transform your business, please contact us
• we look forward to discussing your specific requirements, at your convenience;
• whatever other type of consultancy you require, we can possibly offer a free Health Check.